How deepfake technology threatens everyday decision-making and why the qualified electronic signature (QES) is the strongest defense against identity forgery.
In early 2024, an employee in the finance department of a multinational company in Hong Kong joined a video call with his team and CFO. The call looked perfectly normal — familiar faces, familiar voices, familiar context. The CFO gave an instruction to transfer $25 million. The employee complied.
No one on the call was real. Every face and voice had been generated with deepfake technology.
How was this possible? Because the entire verification process rested on one thing: the employee trusted his own eyes and ears.
We Confirm Decisions With Our Senses — and That's Now a Problem
Think for a moment about how approval decisions actually happen in your organization.
A manager says in a meeting: "Yes, let's go ahead." Someone sends an email: "Confirmed." On a call, it's agreed: "Send the invoice, I'll sign it." A familiar face on screen nods.
All of these confirmations rely on sensory input — we recognized the voice, saw the right face, read a familiar writing style. This has worked for thousands of years. The problem is that all of it can now be generated.
The FBI's cybercrime unit has said it plainly: generative AI makes fraud schemes more convincing and more scalable. Europol has added that deepfake technology is becoming a standard tool for organized crime. Not tomorrow — right now.
This Is an Everyday Problem
The Hong Kong story is dramatic, but the threat isn't in the dollar amount. The threat is in the logic pattern, which is the same everywhere:
Someone presents themselves as the right person -> someone else believes them -> a decision is made.
The same pattern works when an HR manager gets a "call from the CEO" asking to change an employee's contract terms. The same pattern works when an accountant receives a "letter from management" approving an emergency payment. The same pattern works when a school principal "confirms" a procurement document they never actually saw.
The attack surface isn't technical infrastructure. The attack surface is everyday decision-making moments where we trust what we see and hear.
The question isn't whether someone will attempt this kind of attack against your organization. The question is: when they do, how will you prove what actually happened?
Good News: There's a Solution, and It's Not New
The problem feels new, but the solution has actually been around for years. A cryptographic signature doesn't rely on what someone looks like or sounds like. It's based on a unique key pair and certificate combination that is impossible to reproduce without the signer's personal device and authentication.
A deepfake can imitate a face. It cannot imitate a cryptographic key.
The highest level under the EU's eIDAS regulation is called the qualified electronic signature (QES), and it's used every day. The key difference from all other signature levels: the EU recognizes QES as legally equivalent to a handwritten signature.
How a Qualified Electronic Signature Works in Practice
Most people use a basic electronic signature — typing a name, checking a box, uploading an image of a "signature." It's convenient. But in a dispute, the question arises: how do you prove that this specific person actually did it?
A qualified electronic signature solves this by creating a verifiable chain:
The person is identified through a qualified certificate — not because they looked like themselves on screen, but because they passed strong identity verification.
The document content is fixed at the moment of signing. If anyone changes even a single character after signing, it's detectable.
The timestamp is fixed with a cryptographic time seal.
The chain of trust is traceable: the signature was issued through a qualified trust service provider listed on the European Commission's public trusted list. Anyone can verify whether the chain is valid.
This entire chain is independently verifiable — without having to trust someone based on their face, voice, or email style.
A Quarter Century in the Baltics
The qualified electronic signature is not a new invention. The Baltics have been using it since before the concept of deepfakes even existed.
Estonia passed its Digital Signatures Act in 2000 — one of the first countries in the world to do so. In 2002, the first ID cards were issued with a chip enabling both authentication and qualified signing. That same year, Estonia's first digital signature was given: the mayors of Tallinn and Tartu signed a cooperation agreement. From that moment, something began that the rest of Europe is only now catching up to.
Latvia enacted its Electronic Documents Law in 2003 and built the eParaksts infrastructure — a national e-signature system managed by LVRTC. In 2012, Latvia introduced an eID card with digital signature capability, and since 2021, it has been mandatory for all citizens over 15.
Lithuania passed its electronic signature law the same year as Estonia — 2000. The first identity cards were issued in 2003, and from 2009 they included a digital signature chip. Today, Lithuania has over 1.6 million Smart-ID users — in a country of 2.8 million people.
In all three countries, digital signing was part of everyday life by the mid-2000s — company registration, banking, tax reporting.
Then came mobile solutions. Estonia launched Mobile-ID in 2007, which worked without a smartphone — a SIM card and PIN code were enough. In 2017, SK ID Solutions launched Smart-ID simultaneously in all three Baltic states. Within two months, there were over 100,000 users. Today, Smart-ID has over 3 million active users and is certified for creating qualified electronic signatures.
The numbers speak for themselves: in Estonia alone, over 800 million digital signatures have been given over the past 20 years. This is a country of 1.3 million people.
Why does this matter in the context of deepfakes? Because in the Baltics, cryptographic identity verification isn't something experimental. It's the norm. And it's precisely this norm that is now becoming relevant for all of Europe.
Europe Is Catching Up: The EUDI Wallet Makes QES Accessible to Everyone
In 2024, the updated European digital identity regulation, eIDAS 2.0, entered into force. It requires every EU member state to offer its citizens a European Digital Identity Wallet (EUDI Wallet). The deadline: end of 2026.
This means that the qualified electronic signature — used in the Baltics for over two decades — will soon be available to 450 million Europeans directly from their smartphones. The wallet will allow users to store their digital identity, present documents, and give qualified electronic signatures — without a separate card reader, SIM card, or service provider contract.
For the Baltics, this isn't a revolution — it's a logical continuation. For the rest of Europe, it's a paradigm shift — and in the age of deepfakes, an extremely timely one.
What This Means for You — and What It Doesn't
Honest answer: the qualified electronic signature doesn't solve everything.
A deepfake can be used to convince a real person to sign the wrong document. "Please sign quickly, this is the final version." "We discussed this on the call, you agreed." QES proves that someone signed — but it doesn't protect against being deceived into signing.
That's why QES is a strong foundation, complemented by sensible habits:
For high-risk documents — use a second channel. If someone asks you to urgently sign something important, verify through a different channel (call, message) whether the request is genuine.
For unusual requests — pause. "The boss asked to confirm immediately" is a classic manipulation pattern. The more urgent the request, the more it deserves scrutiny.
For signed documents — verify. Build a habit of checking the signature status and chain of trust on important documents. Not as an exception, but as a routine.
Speed Still Matters — But Speed Without Provability Is Risk
Digital transformation has been a speed story for years: faster signing, faster approval, less paper. That was right, and it remains important.
But a world where video and voice can be faked demands provability alongside speed. If you can't show who confirmed what, then speed is no benefit — it's just a quickly created problem that's difficult to untangle later.
The qualified electronic signature is one of the few tools that gives your organization's decisions both mathematical and legal weight that no deepfake can shake. Not because it's a regulatory requirement, but because it works.
Agrello supports qualified electronic signatures and helps build workflows where important decisions are documented, verified, and dispute-proof. Try it free and see how it works for you in practice.
Ready to get started?
Join Agrello and manage your contracts the smart way.